Pages

Mobile security experts and solution providers agree. They say Cuepertino, Calif.-based Apple has the edge because it owns so much of the mobile stack -- from the application layer (App Store), operating system (iOS), hardware (iPhone/iPad) but not the infrastructure layer (wireless carriers).

"iOS is the most secure because attention to security is focused at the app level as much as it is at the operating system level," said Ira Grossman, CTO of end user and mobile computing at Cleveland-based MCPc, a national solution provider specializing in mobile solutions with its Anyplace Workspace.

"If you don't have a secure app, it doesn't matter how secure the operating system is," Grossman said. "So the fact that the Apple Store is curated, that provides a level of security that you don't get today with the standard Android app store."

But just because Apple enforces tight oversight on its App Store doesn't necessarily give it an advantage over its competitors when it comes to app security. According to Veracode, Apple mobile applications represent as many potential risks as its closest competitor Android when it comes to some of the largest threat vectors.

In an analysis of thousands of Apple and Android apps used by its clients, Veracode found a nearly equal number of insecure cryptographic storage issues on apps where a hacker could steal financial or stored credentials off an app. Veracode also found an equal exposure to application error handling that could lead to cross-site scripting attacks where a script drawn from a website is allowed to run and can be used to steal information or potentially cause other malicious code to run on the handset.

"Apple has evolved furthest up the security stack. Every application is sandboxed, meaning storage and memory are isolated. It has the most control over patching," said one large security expert at a large mobile device management firm who asked not to be identified.

Patch level management and control over update deployment is a crucial advantage Apple has over its Android rival, according to many MDM companies. When it comes to Apple, which pushes out its own patches directly to users, it can mean security vulnerabilities are patched in a matter of 24 hours.

That gives Apple the edge over Android, they say, as Android relies on wireless carriers to push out their patches and OS updates to fix security flaws in the Android OS. Making matters worse for Android users is the fragmentation of the Android OS where hardware and OS version numbers can sometimes require a unique patch for each flavor of Android OS.

Unlike with Apple, Android users run a hodgepodge of Android variant OSes. Exasperating matters for Android users is that carriers have a track record of dragging their feet when it comes to rolling out patches to customers. Even MDM vendors say they have trouble managing them all.